Ideas for data to grab - Githubissues

jilleb commented 10 months ago

There are a few data elements you can grab from the persistance channels.

export LD_LIBRARY_PATH=/mnt/app/root/lib-target:/eso/lib:/mnt/app/usr/lib:/mnt/app/armle/lib:/mnt/app/armle/lib/dll:/mnt/app/armle/usr/lib 
export IPL_CONFIG_DIR=/etc/eso/production 

on -f mmx /net/mmx/mnt/app/eso/bin/apps/pc i:<address>:<key>

I know of the following:

Address	Key	Data element
1304	211	Drive Level
1304	212	Night mode
1304	213	Distance
1304	214	Gear
1304	215	Fuel level low
1304	216	Speed
1304	217	Sat # in view
1304	218	Sat # in use
1304	219	GPS latitude (E7)
1304	220	GPS longitude (E7)
1304	221	GPS accuracy (E3)
1304	222	GPS altitude (E2)
1304	223	GPS speed (E3)
1304	224	GPS bearing (E6)
1304	225	Parking brake
1304	226	GPS timestamp

These are used in the Android Auto Sensors green menu screen. It should be possible to grab the Exlap data as well, but I never figured out how... would be lovely to be able to send the transmission temperature to the AID, since this data element isn't available anywhere else.

You can grab them with pc

OneB1t commented 10 months ago

cannot test it now but latest version should produce something as this:

OneB1t commented 10 months ago

i keep receiving following error message

root@mmx:/mnt/app/root> on -f mmx /net/mmx/mnt/app/eso/bin/apps/pc i:1304:211   [PersistenceClient::getIntResult] error: result == DOES_NOT_EXIST
-1
root@mmx:/mnt/app/root>

other than that it is working :-)

MicrosoftTeams-image (1)

OneB1t commented 9 months ago

maybe following data can be also loaded from some persistence channels? (maneuvr, destination dist)

jilleb commented 9 months ago

In the car right now, going through the green menu to see what other live data is displayed there.

Dead reckoning has Speed and Heading Map position has height Road attributes has current street, distance to next move, exit name, Heading

In the past I wrote a persistence address scanner, that would go over a range of addresses to see whats there. I never used it while driving, or navigating/playing audio in Android Auto, so maybe there's more useful info there.

If only we could get the exlap data from the console... Then we would have whatever data we want! Transmission temperature would be the most interesting.

OneB1t commented 9 months ago

Can you specify which script it is using? Also please specify full path where you find this so i can try to replicate at my car.

jilleb commented 9 months ago

Yes, I'm in the office now so I can check the .esd files to see where they get their data. I'll get you a list of persistence addresses for these data elements in about an hour.

jilleb commented 9 months ago

The following elements are found in the green engineering menus (esd files), which all represent persistence coding addresses we can call with the pc command: (format I used here is: <label>: <type> per <partition> <address>)

speed: int per 0x01c500e6 108 heading: int per 0x01c500e6 109 angular velocity (deg/sec): int per 0x01c500e6 101

road attributes: 0x01c500e6 111 this contains the following data elements (name, type, size):

current street String 15
distance next destination int 15
distance next maneuver int 15
next street String 15
sign post String 15
destination direction int 15
distance final destination int 15
segment ID String 15

map position: 0x01c500e6 110 this contains the following data elements (name, type, size):

longitude String 15
latitude String 15
heading int 15
z-level int 15
height String 15
parking int 15
ramp detection int 15
tunnel int 15
mapMatcherStatus int 15

About the AndroidSensors, address 1304 210 holds the update frequency.. If it's 0, the data isn't refreshed. So I think we need to set: on -f mmx /net/mmx/mnt/app/eso/bin/apps/pc i:1304:210 1 And then the ones you tested above that lead to a -1 could possibly work? Hopefully, then the Android sensor data will provide some information. I need to check the other addresses in this 1304 range to see what else is there, while I'm playing music in Android and/or navigating in Maps/Waze.

During a persistence scan in 2020, I found the following addresses to be valid within this partition:

And then there are some other data elements related to media, although I haven't checked them yet: PSD Artist: String per 1 0x00012021 PSD Title: String per 1 0x00012020

And these could be useful for a proof of concept: WLAN name: Blob per 28836065 40 WLAN password: Blob per 28836065 39 TMC message: Blob per 29688038 210 GPS coordinates: Blob per 29688038 504

I got data from these. To get the data it's always like this: on -f mmx /net/mmx/mnt/app/eso/bin/apps/pc b:28836065:40 where b = blob, s = string, i=integer

I'll search some more elements. Edit, more data elements:

Driving state: String 0x01be00df 501 Think blue score: int 0x01be00df 502 Vehicle Acceleration: int 0x01be00df 503 And some experimental ones in the same area I didn't validate: Vehicle speed: int 0x01be00df 504 Car in reverse (boolean): int 0x01be00df 505 Car driving (boolean): int 0x01be00df 506 Engine: String 0x01be00df 507 2nd Engine: String 0x01be00df 508 Gear type: String 0x01be00df 509

jilleb commented 9 months ago

Did some more research, unfortunately i don't have access to the MIB2 at work, because that would make life easier. There's a developer script, rdActivateSDIS.sh:

#!/bin/sh
. "/scripts/commonConfigExchange.sh"

setup_mmx()
{
    ${MOUNT} -uw "/mnt/system"
    ${MV} "${MMX_CFG_DIR}/rdiserver.json" "${MMX_CFG_DIR}/rdiserver_exlap.json"
    ${MV} "${MMX_CFG_DIR}/rdiserver_full.json" "${MMX_CFG_DIR}/rdiserver.json"
    ${MOUNT} -ur "/mnt/system"
    ${SYNC}
    slay rdiserver
}

if [ -e "${MMX_CFG_DIR}/rdiserver_full.json" ] ; then
    setup_mmx
    ${ECHO} "Done."
else
    ${ECHO} "Target is already configured for sdis communication."
fi

no idea what this does, but the contents of rdi_server_exlap.json is as follows:

{
 "baselibname" : "exlap_plugin",
  "path" : "/eso/bin/apps/",
  "ignore_plugin_errors" : true,
  "supervision" : {
    "queue_error_level" : 200,
    "queue_warning_level" : 150,
    "queue_stay_time_ms" :1000,
    "update_cycle_ms" : 4000
  },
  "datastorage" : {
    # location where to store the files
    "location" : "/tmp/",
    # maximum filesize for one file in kilobyte
    "max_file_size_in_kb" : 2000
  },
  "connectivity" : {
        "add_dlink" : false,
        "add_local" : true,
        "bind_retry_count" : 100,
        "bind_retry_sleep_time" : 100,
        "listener" : [
                {
                        "name" : "uap0",
                        "type" : "wlan"
                },
                {
                        "name" : "ncm0",
                        "type" : "usb"
                },
                {
                        "name" : "mlan0",
                        "type" : "wlan"
                }
        ]
  }
}

Looks like it can write exlap data to /tmp, next to having it avialable on the local network.

OneB1t commented 9 months ago

on -f mmx /net/mmx/mnt/app/eso/bin/apps/pc b:28836065:40

this is working well for me but address 1304 there is nothing :-) EDIT: ok found something

EDIT: you been right first you need to write to update on -f mmx /net/mmx/mnt/app/eso/bin/apps/pc i:1304:210 1

GREAT SUCCESS!!! after enabling of this field i now have this

road attributes: 0x01c500e6 111 && map position: 0x01c500e6 110 are for integrated navigation :-/ so that is no use for AA integration

if we can only somehow find out this maneuvr position somewhere in the memory then it will be posible to render "next move" with proper arrow, distance and everything 😢

jilleb commented 9 months ago

Awesome!!!

Let's scan some more partitions and addresses to see what's there. There is a Car partition

OneB1t commented 9 months ago

problem is if you need to write something somewhere before those data are visible...

but based on android auto data i can make it auto-enable and auto-disable so when there is no android auto running VC will return to normal in-car navigation map :-) it will be so awesome

also in case that we cannot use on -f mmx to read data from some part of memory we can still try to read GAL process memory from python (something like trainer for games) and get the data that way

OneB1t commented 9 months ago

maybe we can also take next turn from GAL logs there should be following line inside log which contains

jilleb commented 9 months ago

Sounds like a good idea!!

OneB1t commented 9 months ago

now the question is where is the log file :-) and can we point it to /tmp folder to not kill internal memory? also how to set up GAL_trace logging level?

parsing log in python should be quite easy task

OneB1t commented 9 months ago

maybe this? and where is the resulting file stored?

jilleb commented 9 months ago

If I remember it correctly, the file is written to a specific debug console, when you're connected to a specific port on the device.

Check this script out, it can get info from persistence address (not my script)

#!/bin/sh

revision="persistance v0.1.3 (2023-05-16 by MIBonk)"
# use --help for more info

export PATH=:/proc/boot:/sbin:/bin:/usr/bin:/usr/sbin:/net/mmx/bin:/net/mmx/usr/bin:/net/mmx/usr/sbin:/net/mmx/sbin:/net/mmx/mnt/app/armle/bin:/net/mmx/mnt/app/armle/sbin:/net/mmx/mnt/app/armle/usr/bin:/net/mmx/mnt/app/armle/usr/sbin
export LD_LIBRARY_PATH=/net/mmx/mnt/app/root/lib-target:/net/mmx/mnt/eso/lib:/net/mmx/eso/lib:/net/mmx/mnt/app/usr/lib:/net/mmx/mnt/app/armle/lib:/net/mmx/mnt/app/armle/lib/dll:/net/mmx/mnt/app/armle/usr/lib
export IPL_CONFIG_DIR=/etc/eso/production

thisname="$(basename $0)"
thisdir="$(dirname $0)"

if [ -z $LOG ]; then
    . $thisdir/../config/GLOBALS 1> /dev/null
fi

if [ -f $TMP/reboot.mib ]; then
    echo "Reboot running..."
    return 2> /dev/null
fi

if [ ! -z $2 ]; then
VALUE=$1
else
VALUE=""
fi

    case $VALUE in

    -r) {

trap '' 2

PART=$2
START=$3
END=$4

if [ -z $END ]; then
    END=$(echo $START + 1 | $BC)
else
    if [[ $END -le $START ]]; then
        END=$(echo $START+1 | $BC)
    else
        END=$(echo $END+1 | $BC)
    fi
fi

echo -ne "part-dec,part-hex,a$DDr-dec,a$DDr-hex,data,object\n"
while [ $START -lt $END ]; do
    VALUEHEX=0x$(echo "obase=16; $START" | $BC)
    PARTHEX=0x$(echo "obase=16; $PART" | $BC)
    echo -ne "$PART,$PARTHEX,$START,$VALUEHEX,"
    OBJECT=",blob"
    SUBJECT="$($PERSR $PART $START -t blob 2> /dev/null)"
    if  [ -z "$SUBJECT" ]; then
        OBJECT=",int"
        SUBJECT="$($PERSR $PART $START -t int 2> /dev/null)"
        if  [ -z "$SUBJECT" ]; then
            OBJECT=",string"
            SUBJECT="$($PERSR $PART $START -t string 2> /dev/null)"
            if  [ -z "$SUBJECT" ]; then
                SUBJECT=""
                OBJECT=",error"
            fi
        fi
    fi
    echo -ne $SUBJECT
    echo -ne $OBJECT
    echo -ne "\n"
START=$(echo $START +1 | $BC)
done
echo -ne "\n"

trap 2

return 2> /dev/null

    };;

    # help or unknown parameter ------------------------------
    *) {
        echo ""
        echo $revision
        echo ""
        echo "Usage: "$thisname" [OPTION] <partition> <startadress> [endadress|"
        echo ""
        echo "Options:"
        echo "        -r                read data"
        echo "        --help            show this help"
        echo ""
        echo "Note: Backup will only work in RCC bash!"
        echo ""
        echo "This program is free software; you can redistribute it and/or"
        echo "modify it under the terms of the GNU General Public License"
        echo "as published by the Free Software Foundation; either version 2"
        echo "of the License, or (at your option) any later version."
        echo ""
        echo "This program is distributed in the hope that it will be useful,"
        echo "but WITHOUT ANY WARRANTY; without even the implied warranty of"
        echo "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
        echo "See the GNU General Public License for more details."
        echo ""
        echo "You should have received a copy of the GNU General Public License"
        echo "along with this program; if not, write to the Free Software Foundation,"
        echo "Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA."
        echo ""

    };;

    esac

exit 0

jilleb commented 9 months ago

Small addition to this, while I'm chatting with a friend about this... When retrofitting the MIB3 to a car that previously had a MIB2, the same cluster will all of a sudden display media info for Carplay and Android Auto, as well as CP/AA navigation instructions... So the cluster/AID is ready to receive the right data and display them in the right way... but on what channel... that's a mystery to me.

OneB1t commented 9 months ago

yes i seen that too before :-) i would expect that it is using the same channel as telephony or radio data

jilleb commented 9 months ago

That would be BAP or CAN

OneB1t commented 9 months ago

if we can just find some example how to send one of those messages i think we can try to guess what AA message should look like :-)

jilleb commented 9 months ago

Forget about earlier script, I found one of my old ones

#!/bin/sh

export LD_LIBRARY_PATH=/mnt/app/root/lib-target:/eso/lib:/mnt/app/usr/lib:/mnt/app/armle/lib:/mnt/app/armle/lib/dll:/mnt/app/armle/usr/lib 
export IPL_CONFIG_DIR=/etc/eso/production 

#info
DESCRIPTION="This script will get info from a lot of persistence addresses and puts it out to sda0"
#optional inputs:
# $1: partition
# $2: start address
# $3: max address to be scanned

#Firmware/unit info:
VERSION="$(cat /net/rcc/dev/shmem/version.txt | grep "Current train" | sed 's/Current train = //g' | sed -e 's|["'\'']||g' | sed 's/\r//')"
FAZIT=$(cat /tmp/fazit-id);

echo "---------------------------"
echo "$DESCRIPTION" 
echo "FAZIT of this unit: $FAZIT"
echo "Firmware version: $VERSION"
echo "---------------------------"
sleep .5

#Is there any SD-card inserted?
if [ -d /net/mmx/fs/sda0 ]; then
    echo SDA0 found
    VOLUME=/net/mmx/fs/sda0
elif [ -d /net/mmx/fs/sdb0 ] ; then
    echo SDB0 found
    VOLUME=/net/mmx/fs/sdb0
else 
    echo No SD-cards found.
    exit 1
fi

#sleep .5

echo Mounting SD-card at $VOLUME.
mount -uw $VOLUME

sleep .5
echo Creating Dump folder on $VOLUME
DUMPFOLDER=$VOLUME/DUMP/$VERSION/$FAZIT/Persistence/
mkdir -p $DUMPFOLDER

IDFILE=$DUMPFOLDER/id.txt
PARTITIONFILE=$DUMPFOLDER/partition.txt
NOW=$(date)

if [ "$3" != "" ]; then
    MAXSCAN=$3;
else
    MAXSCAN=100000000;
    fi

echo "Scanning partition $PARTITION"

if [ "$2" != "" ]; then
    ADDRESS=$2;
    echo "Starting at $ADDRESS"
else
  if test -f "$IDFILE"; then
      echo "$IDFILE found"
      #read last known address from id-file
      read ADDRESS < $IDFILE
      echo "Continuing at $ADDRESS"
  else 
      echo "It looks like this is the first time scanning, starting at 0"
      ADDRESS=0
  fi 
fi

if [ "$1" != "" ]; then
  PARTITION=$1;
  echo $PARTITION > $PARTITIONFILE  
else
  if read PARTITION < $PARTITIONFILE ; then   #this if for session continuation
    echo "Reading last used partition from SD"
  else 
    exit 1
  fi
fi
#sleep .5

#starting loop

while [ $ADDRESS -le $MAXSCAN ]
do
  #echo "-----------------"
  echo "Scanning $PARTITION:$ADDRESS"

  #first check if ths address even exists or causes a time-out.
    PERSISTENCEDATA="$(on -f mmx on -f mmx /net/mmx/mnt/app/eso/bin/dumb_persistence_reader $PARTITION $ADDRESS 2>&1)"  
    if [[ "$PERSISTENCEDATA" == *"PERS_STATUS_TIMEOUT"* ]] ; then
      if echo $PARTITION";"$ADDRESS";TIMEOUT" >> $DUMPFOLDER/persistence.txt ; then
        echo "Timeout, skipping address" 
      else 
        echo "Scan cancelled"
        exit 1
      fi
    elif [[ "$PERSISTENCEDATA" == *" PERS_STATUS_TYPE_MISMATCH"* ]] ; then
      echo "Type mismatch, trying integer"
      PERSISTENCEDATAI="$(on -f mmx on -f mmx /net/mmx/mnt/app/eso/bin/dumb_persistence_reader $PARTITION $ADDRESS -t int 2>&1)"
        if [[ "$PERSISTENCEDATAI" == *"PERS_STATUS_TYPE_MISMATCH"* ]] ; then
          echo "Type mismatch, trying string"
          PERSISTENCEDATAS="$(on -f mmx on -f mmx /net/mmx/mnt/app/eso/bin/dumb_persistence_reader $PARTITION $ADDRESS -t string 2>&1)"
          if echo $PARTITION";"$ADDRESS";string;"$PERSISTENCEDATAS >> $DUMPFOLDER/persistence.txt ; then
            echo "DATA FOUND:"
            echo $PERSISTENCEDATAS
          else         
            echo "!Scan cancelled"
            exit 1
          fi
        elif [[ "$PERSISTENCEDATAI" != *"ERROR"* ]] ; then
          if echo $PARTITION";"$ADDRESS";integer;"$PERSISTENCEDATAI >> $DUMPFOLDER/persistence.txt ; then
            echo "DATA FOUND:"
            echo $PERSISTENCEDATAI
          else         
            echo "!Scan cancelled"
            exit 1
          fi         
        fi 
    elif [[ "$PERSISTENCEDATA" == *"PERS_STATUS_DOES_NOT_EXIST"* ]] ; then
          :
          #do nothing
    else 
      if echo $PARTITION";"$ADDRESS";blob;"$PERSISTENCEDATA >> $DUMPFOLDER/persistence.txt ; then
        echo "DATA FOUND:"
        echo $PERSISTENCEDATA
      else
        echo ""
        echo "!Scan cancelled"
        exit 1
      fi

    fi

  #only write the ID to the text once every 100 times, to speed up.
  if (( $ADDRESS % 100 == 0 ))
  then
    if echo $ADDRESS > $IDFILE; then
    echo "writing to id.txt to save scan session"
    echo "Scanned $PARTITION until $ADDRESS at $NOW" > $DUMPFOLDER/scanlog.txt
    else 
        echo ""
        echo "!Scan cancelled"
      exit 1
    fi
  fi

  #increase the address with 1  
    ADDRESS=$(( $ADDRESS + 1 ))

done

# Make readonly again
mount -ur $VOLUME
echo "Persistence scan done"

exit 0

I did some scanning of the persistence addresses while I was on the road, navigating in Android Auto and playing music. I am not worried I need to set a value before data shows up, because the persistence addresses respond with a reply either way. So it will at least find any "yet to be activated" addresses this way.

So far I have the following results from some partitions (nothing of real use here, and I just scanned the first 2000 addresses of each partition): partition	address	type	data
1304 (Smartphone integration)	50	string	gal=1, carplay=1, mirrorlink=2, m_carlife=2
1304 (Smartphone integration)	51	string	gal=1, carplay=1, mirrorlink=1
1304 (Smartphone integration)	53	string	updateAvailable=0, major=1
1304 (Smartphone integration)	54	string	gal=1, carplay=1, mirrorlink=0
1304 (Smartphone integration)	55	string	usb=1, exlap=1
1304 (Smartphone integration)	56	string	carlifeAndroid=0, carlifeiOS=0, usb=3
1304 (Smartphone integration)	57	string	carlifeiOS=0, carlifeAndroid=0
1304 (Smartphone integration)	210	integer	1
1304 (Smartphone integration)	211	integer	0
1304 (Smartphone integration)	212	integer	1
1304 (Smartphone integration)	213	integer	387
1304 (Smartphone integration)	214	string	n/a
1304 (Smartphone integration)	215	integer	0
1304 (Smartphone integration)	216	integer	33333
1304 (Smartphone integration)	217	integer	11
1304 (Smartphone integration)	218	integer	6
1304 (Smartphone integration)	219	integer	522431337
1304 (Smartphone integration)	220	integer	62743428
1304 (Smartphone integration)	221	integer	20000
1304 (Smartphone integration)	222	integer	0
1304 (Smartphone integration)	223	integer	32378
1304 (Smartphone integration)	224	integer	290000000
1304 (Smartphone integration)	225	integer	0
1304 (Smartphone integration)	226	string	555824000000
1501 (ONLINE)	0	integer	21
1501 (ONLINE)	1	integer	0
1501 (ONLINE)	2	integer	20
1501 (ONLINE)	3	integer	1
1501 (ONLINE)	4	string	Live
1501 (ONLINE)	5	string	VSSZZZ5FZLR107852
1501 (ONLINE)	6	TIMEOUT
1501 (ONLINE)	7	TIMEOUT
1501 (ONLINE)	8	TIMEOUT
1501 (ONLINE)	9	TIMEOUT
1501 (ONLINE)	10	string	;
1501 (ONLINE)	11	string	;
1501 (ONLINE)	12	string	;
1501 (ONLINE)	13	integer	1
1501 (ONLINE)	14	string	;
1501 (ONLINE)	15	string	ER-mib2high-mbbservices.audi-connect.de
1501 (ONLINE)	16	string	T0MIB2
1501 (ONLINE)	17	string	;
1501 (ONLINE)	18	string	ONLINE_STATE_BLOCKED
1501 (ONLINE)	19	string	MHI2_ER_SEG11_P4709
1501 (ONLINE)	20	integer	14
1501 (ONLINE)	21	integer	0
1501 (ONLINE)	22	integer	13
1501 (ONLINE)	23	integer	0
1501 (ONLINE)	24	string	live_EU
1501 (ONLINE)	25	string	;
1501 (ONLINE)	26	string	MUAccess
1501 (ONLINE)	27	string	;
1501 (ONLINE)	28	integer	0
1501 (ONLINE)	29	integer	0
1501 (ONLINE)	30	string	;
1501 (ONLINE)	31	string	;
1501 (ONLINE)	32	string	not registered yet
1501 (ONLINE)	33	string	DEV_FOUND, GPS_ALLOWED, GPS_ACTIVE
1501 (ONLINE)	34	string	not available
1501 (ONLINE)	35	string	not available
1501 (ONLINE)	36	string	not available
1501 (ONLINE)	37	integer	1
1501 (ONLINE)	38	string	Using VIN from car (persistence fallback)
1501 (ONLINE)	39	string	;
1501 (ONLINE)	40	TIMEOUT
1501 (ONLINE)	41	TIMEOUT
1501 (ONLINE)	42	TIMEOUT
1501 (ONLINE)	43	TIMEOUT
1501 (ONLINE)	44	TIMEOUT
1501 (ONLINE)	45	TIMEOUT
2001 (Unknown partition)	4	blob	00000006000000020001000000080000001144343a33413a32433a42373a31393a3746000000080000000f424c4d5f4143544956455f4d4f4445000000080000000a4243525f4d415354455200000000
2001 (Unknown partition)	101	string	14.44.35p233
2001 (Unknown partition)	1000	blob	000000080000000974656c6570686f6e65000000080000000b7631302e3735342e31363200000008000000024e6f0000000800000003302f350000000800000009626c7565746f6f7468000000080000000b7631302e3735342e31363200000008000000024e6f0000000800000003302f350000000800000011636f6e6e656374696f6e6d616e61676572000000080000000b7631302e3735342e31363200000008000000024e6f0000000800000003302f3500000008000000096d6573736167696e67000000080000000b7631302e3735342e31363200000008000000024e6f0000000800000003302f3500000008000000086465762d75706e70000000080000000b7631302e3735342e31363200000008000000024e6f0000000800000003302f3500000008000000076274737461636b000000080000000b7631302e3735342e31363200000008000000024e6f0000000800000003302f3500000008000000036e6164000000080000000b7631302e3735342e31363200000008000000024e6f0000000800000003302f3500000000
5018 (MIRRORLINK)	200	blob	37424d580000000000ad000f000b010000000000000000010001
5021 (Car)	1001	blob	0b16212c1f8b080000000000000063606058c7c0c8c0c0e00bc45240ac02c4d640ec05c416406c03c40140ec0dc4c168d80f2a1e0dc45658e491d521f33d80d8188f7a646ccbc028b09f8181f9268c0600a149a004b2000000
5021 (Car)	1002	blob	0b16212c1f8b0800000000000000636060f8c380008140ec05a583a118c4b607623f20f606625fa81a98bc1b100740d94148e2e8d80f8def04c49120b6c3dceecf0edac6a60e17e2273becb955ea70eaa1a7c351b99d0ebf1dee385cf87ac8e1e1ddfb0e7be576397c9e74dc6181c637a0ba098edce24f1cb56cf31d6a99731c5aa47d1d9602e5776cac77d8ddaae0702d2dcde194b794c383c5d71daebe6e71d8c2c0e87063f12d87436ce71d25ffff772c5dbcd2e168d23fa0ddb20070ae50cd00010000
5025 (EXLAP)	1000	blob	37424d58000000000014000500010100000002

Here's an overview of all partitions that I currenly know about: partition	NAME
0	NS_REGION_CODE
1	HARMAN internal (AM/FM?)
2	HARMAN internal
3	HARMAN internal
4	HARMAN internal
5	HARMAN internal
6	HARMAN internal
7	HARMAN internal
8	HARMAN internal
9	HARMAN internal (Datasets, adaptations, identifications factory reset)
10	HARMAN internal
11	HARMAN internal (Audio?)
12	HARMAN internal (SDARS Radio)
13	HARMAN internal (MOST)
14	HARMAN internal
15	HARMAN internal(PictureServer)
16	HARMAN internal
17	HARMAN internal (DAB?)
18	HARMAN internal
19	HARMAN internal(GN log?)
20	HARMAN internal
21	HARMAN internal
22	HARMAN internal
23	HARMAN internal
24	HARMAN internal
25	HARMAN internal(TV)
26	HARMAN internal(Unified Stations)
27	HARMAN internal(Japan Tuner)
28	HARMAN internal
29	HARMAN internal
30	HARMAN internal(unit info?)
31	HARMAN internal(Tuner)
32	HARMAN internal
33	HARMAN internal
34	HARMAN internal
35	HARMAN internal
36	HARMAN internal
37	HARMAN internal
257	ota?
262	Resource info
1101	LSC
1209	NAV
1210	Navigation Persistence Manager
1211	Navigation Persistence Manager
1300	media_version_2.0
1301	Media
1303	smartphone_integration_v0.1
1304	Smartphone integration
1500	1.0
1501	online
1502	1.0
1510	sse
1512	ARC
1513	Esoposprovider
1514	Scale DTCP
1517	Operator Name
1519	traces
1999	traceserverRCC
2000	traceserverMMX
2001	Connectivity?
2002	mobilityhorizon
5000	"EARLY"
5003	"DAB"
5005	"AMFM"
5006	"NAVI"
5007	"MEDIA"
5008	"PHONE"
5009	"SPEECH"
5010	"DISPLAY"
5011	"ENTERTAINMENT_MANAGER"
5012	"BAP"
5013	"SDARS"
5014	"TV"
5016	"INTERNETBROWSER"
5017	"EXBOX"
5018	"MIRRORLINK"
5019	"ITUNES"
5020	"NAVHIGHASIA"
5021	"CAR"
5022	"ONLINE"
5022	DSI-unversioned
5023	"TRAVELLINK"
5025	"EXLAP"
5026	"SOUND"
5026	DSI-unversioned
5027	"TRAFFICMINIMAP"
5028	"SMARTPHONEINTEGRATION"
5050	DSI-unversioned
5051	DSI-unversioned
5052	DSI-unversioned
5053	DSI-unversioned
5055	DSI-unversioned
5056	DSI-unversioned
5057	DSI-unversioned
5058	DSI-unversioned
6000	DSI-unversioned
6789	Tegra hardware info
6789	DSI-unversioned
8765	DVD hardware info
8765	DSI-unversioned
26411208	NS_HMI_DAB
27263191	NS_HMI_CAR
27853016	NS_HMI_AUDIO
28180695	DIAG_COD
28442848	DIAG_ANP
28836065	Connectivity? Mirrorlink and such
29229279	HMI
29425895	NS_HMI_ENS
29688031	NS_HMI_IRC
29688038	NAV
30802154	Media Player
30867691	speech-service
32702714	NS_HMI_PWR
46661922	NS_HMI_TUNER_AMFM
46924065	IDENTIFIKATION
46924066	CU_BT
46924067	CU_STATIONDB
46924068	CU_MIRRORLINK
46924069	CU_USBSURFSTICK
46924070	CU_PERSONALPOI
46924071	CU_NAVCARUPDATE
46924072	CU_GRACENOTE
52166966	UP AND DOWNLOAD
98190593	NS_HMI_SDARS
678364556	ENGNS, AMI type etc. (INFO)
1062713629	Wifi channel?

jilleb commented 9 months ago

Finding some bigger data elements in the Smartphone integration partitions, in a format unknown to me. I'll paste it all here, maybe you have an idea.

Edit: GZIPped data! I'll dive into it.

PARTITION	ADDRESS	TYPE	DATA	PARTITION NAME
27263191	1	integer	4294967295	NS_HMI_CAR
27263191	2	integer	4294967295	NS_HMI_CAR
27263191	3	integer	4294967295	NS_HMI_CAR
5000	200	blob	37424d580000000047ee065400130201020600030600000000000000018c21795528000000000101000000820101000001040000000001ffffffff	"EARLY"
5000	300	blob	00010700	"EARLY"
5007	1001	blob	37424d5800000000248a07ff00050000000000000000010000000000000000ffffffffffffffff	"MEDIA"
5007	1004	blob	37424d5800000000000d0004000100000002	"MEDIA"
5008	100	blob	37424d58000000000f9013d100090000000000000000000000ffffffffffffffffffffffff000000020000001133433a30313a45463a31413a33313a39390000001144343a33413a32433a42373a31393a3746	"PHONE"
5011	200	blob	37424d580000000003820025000a000000080000000100000003000000010000000200000002000000000000000800000001	"ENTERTAINMENT_MANAGER"
5022	200	blob	37424d580000000000810010000f00000000000000	"ONLINE"
5026	100	blob	37424d5800000000004d00050003000000010000000000000000000000	"SOUND"
5028	200	blob	0b16212c1f8b080000000000000063606078c7c0c6c0c0206060906866669c66669c649498629e940414e304620e2066e033723230377473f1303630308e0c4396524836b13430493537494b4eb6304d4a313333b43037314a3237b730354e364d4d852a66600462aec0307343c3a02043231364335853730b4a2a199000ed441801b0336c48f2000000	"SMARTPHONEINTEGRATION"
5050	0	blob	37424d58000000000065000a0001000000000000000000000001000200000000020000000003	DSI-unversioned
5051	0	blob	0b16212c1f8b080000000000000085ce491280200c44d12083a080b3f73fa247900fa52ecde2d155240111b944c9574a0c87830d2638b851d9d486521d69046d0b75842089184919665860f5859d743255dfd22ad48de6d9a8c18005073d7808b4b517da27e47f0486f7b311d20d1a427b03f4000000	DSI-unversioned
5052	0	blob	0b16212c1f8b080000000000000075930972c2300c45ed244e0c6403c25a1a96b6d0ed34bdff61caf3160303333c644bb6f5252144f627a4183e52e4fcfc80df8c0d90801c146cc9136e0d46600c26b84b50819abd06ab055396333067d9612dc0052cc10aacc1066cc10bd88157d0833d386026d7efd11b27ee7d071fe00c3ec117f836513d394be515a52003ca08144ee0833450b25961d5580d68594e393b037311a4e15d82158e35d880adba5545f69953968ac28b312d494c2a3e221df2542ecfccca90da05b37fa5cc3b7bddd515ac67828d68914b1b59b8b70bdb6ddb7cae4f753899ba53dadeb9c85c03b59cf6ae6cb277a54b7a57be14a3e40eef52def5bcec993b63272a9a23936be52a3e12898aab3016fa2e77a35afb02e53a7e6f228a211abfd621ba93717ae57d6474af8e03ab41db6d2146be10e6a072676a2bf462c600ecc1812b8f5827acb761ba79e66c2ad00a3b4bb5ac5836fec126f45b84ae75de611abb93a1dc1debb1a1f98f85bf6113eb1da6e7516febc6d02b4bfe01556952f556040000	DSI-unversioned
5055	0	blob	0b16212c1f8b080000000000000045cec50e42311005d03edcf5e112dc2d480284ffff2e382bba38bd77a68b8610ad4314fe270ab938e5c6d1e48433aeb8e16efbf02c3a8909246d52521a19358b1cf266051463bd84322aa8a2863a1ab14f353d6fa16dd841173df431b01d62a48e3151a798616eb69096d20a6b6cccb6d8a97be9808bfac44b7da77f7cbe834a1f1b2b010000	DSI-unversioned
5056	0	blob	37424d580000000003a1003100010000000000000000000000010000000000010106040000000103000000020300000003030000000404000000050000000006	DSI-unversioned

OneB1t commented 9 months ago

even after ungzipping i cannot tell what it could be :-/

jilleb commented 9 months ago

Me neither.. probably something that's not of use. Could even be just the saved radiostations or something like that. I'll continue the scan. It goes fairly slow.. but I forgot how much fun it is to let it scan.

OneB1t commented 9 months ago

smarphone integration field actually have some string inside it no idea what they mean

î 00a663f63b2ad7bb 2B071FDH3003YV c4904e74fcc85bd6618742b77853c5ee

jilleb commented 9 months ago

Might be some kind of sessionkey, or identifier for the android auto session?

jilleb commented 9 months ago

I'll put my MIB2 on desk in the afternoon and do some more readings. I think it's best if I throw all the persistence findings in a wiki on the toolbox repo, to prevent this place from becoming a junkjard 😄

OneB1t commented 9 months ago

do you know what is the cheapest MIB2 unit i can get my hands on which will still behave internally as my MIB2.5 discovery pro? If i can develop on bench i think i will be able to find out how to read DSI or exlap.

jilleb commented 9 months ago

Any MIB2High unit can become a MIB2.5 Discover Pro. I've converted between various brands of MIB2 to MIB2.5. The cheapest would be to get a cheap 6 inch screen and a MIB2 and install the latest VW G11 (MIB2, non MIB2.5) software on it. MIB2.5 has, besides the bigger screen and lack of some physical buttons, the same features as the MIB2, so it'll do for desk purposes.

jilleb commented 9 months ago

Scan on desk is running.. which is a lot more confortable than in the car. I don't have AA connected currently, but at least I'll get a map of "potentially interesting addresses" from this

jilleb commented 9 months ago

Scanning continues today, working from home so I can keep my eye on the progress. I'm scanning each partition from 0 to 5000. Some partitions lead to timeouts all over the place.

By the way, I get some log data on the console that looks like this:

1244958437937 INFO [0x200, 0x2, 0x469c13ce] current.gui.language:=en_GB;;protocol.version:=1.2;;part.number:=565035021F;;skin.short.version:=SEAT_HIGH_SKIN_NEW_80_H-HIGH2_EU-4;;hmisoftware.version:=H29.344.66_HIGH2_EU;;software.mu.version:=1447;;vehicle.id:=0403070228;;hmisoftware.base.version:=H29.344.66-201906171929;;generic.event.count:=87;;logmessage.count:=14/0;;active.debug.probes:=[DSIEVENTS];;car.time:=946684800897;;generic.event.queue.size:=0;;logmessage.queue.size:=0/2000;;logmessage.data.size:=4KB;;time:=2000-01-01 0:00:00

I'll see if enabling more traces in the green menu will lead to more useful info.

OneB1t commented 9 months ago

where you get this log from ? is it /var/log or where it is stored?

jilleb commented 9 months ago

It's on the MMX console, so written to stdout,

OneB1t commented 9 months ago

which is /dev/stdout?

jilleb commented 9 months ago

yes, although I'm not sure if anything is communicated when nothing is connected to mmx or rcc console.

jilleb commented 9 months ago

dsi.debuginfo.B2.67.MIB_DSI_2016_KW28-16.28.0.xml.zip

This could be useful

OneB1t commented 9 months ago

DSI will contain all required data now just find a way how to tap into them :-D hacking that .jar file can be good way

OneB1t commented 4 hours ago

Driving state: String 0x01be00df 501 Think blue score: int 0x01be00df 502 Vehicle Acceleration: int 0x01be00df 503 And some experimental ones in the same area I didn't validate: Vehicle speed: int 0x01be00df 504 Car in reverse (boolean): int 0x01be00df 505 Car driving (boolean): int 0x01be00df 506 Engine: String 0x01be00df 507 2nd Engine: String 0x01be00df 508 Gear type: String 0x01be00df 509

those are not available for me (using following for example)

on -f mmx /net/mmx/mnt/app/eso/bin/apps/pc s:29229279:501

any idea how to reach those?

OneB1t / VcMOSTRenderMqb

Ideas for data to grab #1